This csrf_token value is the value of the token. There are scenarios when a subdomain attacker can set the CSRF cookie for the whole domain and this ends up in the victim's site. The cookie value is never reset so it can even be used to persist a XSS attack. Also, the CSRF cookie should also support the option to be a secure and/or httponly cookie.

The documentation specifies that subdomains can circumvent the CSRF protection, which is a lot different than saying that subdomains can insert HTML at will in your site.

That's exactly what I was saying - I accepted the ticket. I was merely warning that Django in general is not secure against untrusted subdomains. We are also vulnerable to session fixation attacks from untrusted subdomains (something I do not know any solution for).